Configuring the Kerberos token policy set for JAX-WS applications

Use this topic to enable the Kerberos token policy set for JAX-WS applications.

Before you begin

Prior to beginning this task, you must specify the Kerberos configuration information for IBM® WebSphere® Application Server. For more information, see Kerberos (KRB5) authentication mechanism support for security.

The configuration model for the Kerberos token enables you to choose from the following existing WebSphere Application Server frameworks:

For JAX-RPC applications, the deployment descriptor and bindings are used in the configuration. JAX-RPC application includes the deployment descriptor for a Kerberos custom token, which is configured with authentication tokens.
For JAX-WS applications, the configuration uses a policy set and bindings. The JAX-WS application is attached by a custom policy with the Kerberos token configured with authentication tokens, message protection tokens, or both.

Note: Fix packs that include updates to the Software Development Kit (SDK) might overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack and reapply these files after the fix pack is applied.

About this task

Complete the following steps to configure the Kerberos token policy set for JAX-WS applications using the administrative console for WebSphere Application Server. In these steps, the Main policy configuation panel references the administrative console panel that is available after you complete the first five steps.

Procedure

Expand Services > Policy sets and click Application policy sets > New to create a new policy set.
Specify a name and a short description for the new policy set and click Apply.
From the Policies heading, click Add and then select the WS-Security security policy type.
Click OK and click Save to save the new configuration directly to the master configuration.
In the Policies field, click WS-Security and click Main policy on the WS-Security panel to configure the main policy for the Kerberos token policy set.
From the Key Symmetry heading, select Use symmetric tokens for message protection.
Click Symmetric signature and encryption policies to configure the Kerberos custom token type or clear the Message level protection check box if you are configuring an authentication token only.
Important: You do not need to configure the request token policy if you are using the Kerberos token for message protection. If you are configuring the authentication token only, proceed to the next step. If you are not configuring the request token policy for the authentication token, skip the next step.
On the Main policy configuration panel, configure the policy for the request token if you are configuring the authentication token.
1. From the Policy Details heading, click Request token policies.
2. Click Add token type and select Custom.
3. Specify the name of the custom token in the Custom token name field.
4. Specify the local part value in the Local part field.
  For interoperability with other web services technologies, specify the following local part: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ. If you are not concerned with interoperability issues, you can specify one of the following local name values:
  - http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
  - http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
  - http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
  - http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
  - http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120
  These alternative values depend on the specification level for the Kerberos AP-REQ token that is generated by the Key Distribution Center (KDC). For more information about when to use these values, see Token type settings.
5. Do not specify a value for the Namespace URI field if you are generating a Kerberos token.
6. Click OK and Save to save the configuration directly to the master configuration.
This step completes the configuration process for configuring the request token policy for the authentication token. You do not need to complete the next two steps. Complete the next steps to configure encryption and symmetric signature policies.
Return to the main policy configuration panel for the application policy set and click Symmetric signature and encryption policies to configure the encryption and symmetric signature policies.
1. From the Message Integrity heading, click the Action menu list for the Token type for signing and validating messages field and select Custom.
2. From the Message Confidentiality heading, select the Use same token for confidentiality that is used for integrity option.
3. Click OK and Save to save the configuration changes.
4. From the Message Integrity heading, click the Action menu list for the Token type for signing and validating messages field and select Edit Selected Type Policy.
5. Edit the custom token type for the signature and encryption by specifying the local part for the Kerberos custom token.
  For example, specify http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value. Do not specify a Namespace URI value.
6. Click OK and then click the Save link to save the configuration changes.
Return to the main policy configuration panel for the application policy set and click Algorithms for symmetric tokens to configure the symmetric token algorithm.
1. Select the algorithm suite to use for the symmetric tokens from the Algorithm suite menu list.
  Select the Advanced Encryption Standard (AES) algorithms for a Kerberos token that is compliant with RFC-4120.
  The symmetric key wrap, or private key cryptography, algorithms include:
  - Triple DES key wrap: https://www.w3.org/2001/04/xmlenc#kw-tripledes
  - AES key wrap (aes128): https://www.w3.org/2001/04/xmlenc#kw-aes128
  - AES key wrap (aes256): https://www.w3.org/2001/04/xmlenc#kw-aes256
  Restriction: To use the 256–bit AES encryption algorithm, you must apply the unlimited jurisdiction policy files. To remain in compliance, see Basic Security Profile compliance tips.
  Before downloading these policy files, mount the product HFS as read/write. Back up the existing policy files prior to overwriting them, in case you want to restore the original files later. The existing policy files, which are the local_policy.jar and US_export_policy.jar files, are located in the WAS_HOME/java/jre/lib/security/ directory.
  
  Before downloading these policy files, mount the product HFS as read/write. Back up the existing policy files prior to overwriting them, in case you want to restore the original files later. The existing policy files, which are the local_policy.jar and US_export_policy.jar files, are located in the WAS_HOME/java/lib/security/ directory.
  
  Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
  For application server platforms using IBM Developer Kit, Java™ Technology Edition Version 5, you can obtain unlimited jurisdiction policy files by completing the following steps:
  1. Visit the IBM developerWorks: Security Information website.
  2. Click Java 5.
  3. Click IBM SDK Policy files.
    The Unrestricted JCE Policy files for SDK 5 website is displayed.
  4. Enter your user ID and password or register with IBM to download the policy files. The policy files are downloaded onto your workstation.
  5. Re-mount your product HFS as read/only.
  For more information on the algorithm suite components, see Algorithms settings.
2. Select either the Exclusive canonicalization or Inclusive canonicalization value for the Canonicalization algorithm menu list.
  For more information, see XML digital signature.
3. Specify the XPath 1.0 or XPathfilter 2.0 version to use from the XPath version menu list.

What to do next

Configure the bindings for message protection for Kerberos for JAX-WS applications. For more information, see Configuring the bindings for message protection for Kerberos.